(Manually renewed) certificate is valid for another 89 days but browsers don't want to hear it

Support
, ,
1

Hi there!

My YunoHost server

Hardware: Raspberry Pi 3 at home
YunoHost version: 4.4.2.14
I have access to my server : through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain:
I started using Gandi’s API key to make sure my DNS settings were correctly entered. As far as I can tell, the settings are the same as they were when I used to type them up.

Description of my issue

A few days ago, nextcloud, firefox and other services started telling me that the certificate wasn’t valid anymore. Sure enough, when I checked I saw that it had expired a few days prior. I don’t know why it hadn’t renewed automatically this time around but I renewed it manually and the admin interface tells me that all is good:

Great! You’re using a valid Let’s Encrypt certificate!
Certification authority Let’s Encrypt (mydomain.tld)
Validity 85 days

but going to the site from Firefox, even after a few days and/or behind a VPN, I get:

Websites prove their identity via certificates, which are valid for a set time period. The certificate for mydomain.tld expired on 15/12/2022.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

One last thing: the timing of the certificate renewal may have coincided with that of my home IP changing.

Any idea how I can tell the world that my domain has a valid certificate?
Thank you in advance!

2

Bonjour et bonne année!

J’ai toujours ce problème de certificat, je ne vois pas comment m’en débarrasser.
En français cette fois-çi!

Mon serveur YunoHost

Hardware: Raspberry Pi 3 at home
YunoHost version: 4.4.2.14
I have access to my server : through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : oui
If yes, please explain:
J’utilise maintenant l’API de Gandi pour m’assurer que les paramètre DNS sont corrects. Autant que je sache, les paramètres n’ont pas changé. (Le problème décrit çi-dessous était déjà présent.)

Description du problème

Mi-Décembre, Nextcloud, Firefox et d’autres services m’ont dit que mon mon certificat n’était plus valide. C’était exact: quand j’ai vérifié, le certificat avait pour date d’expiration le 15 Décember 2022. Je ne sais pas pourquoi il ne s’est pas mis à jour automatiquement 15 jours avant; peut-être parce que mes paramètres DNS n’étaient plus à jour (j’avais changé d’IP) vers cette période.
J’ai mis les paramètres DNS à jour, d’abord manuellement comme d’hab., puis avec l’API de Gandi. J’ai ensuite renouvellé le certificat manuellement.

A priori, tout va bien:

Great! You’re using a valid Let’s Encrypt certificate!
Certification authority Let’s Encrypt (mydomain.tld)
Validity 70 days

Mais Firefox continue de penser que le certificat a expiré:

Websites prove their identity via certificates, which are valid for a set time period. The certificate for mydomain.tld expired on 15/12/2022.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Comment puis-je convaincre Firefox et autres services que mon domaine a un nouveau certificat?

Merci d’avance!

3

Hello,

after installing a new certificate its important to clear the cache and reopen another tab
sometimes after we’ve installed a certificate the same tab were still open, that will avoid the browser from knowing there is a new certificate,

in chrome clearing the cache could be achieved by CTRL + SHIFT + DEL
in firefox settings → security & privacy.

4

I have sometimes had a ‘stuck’ certificate.

What I did to resolve it, was first revert to a self-signed certificate, and then switch back to LetsEncrypt!

I’m not quite sure what the cause of the hiccup caused at those times.

2 Likes
5

I had the same issue some time ago and solved it like this. Revert back to a self-signed certificate then install a new one from letsencrypt

6

Thank you all. This is interesting: I attempted to use a self-certificate and then one from Let’s Encrypt. It turns out that in both cases I have an error message:

args:
  names:
  - nginx
ended_at: 2023-01-06 08:54:25.092996
error: 'Could not regenerate the configuration for category(s): nginx'
interface: api
operation: regen_conf
parent: 20230106-085351-letsencrypt_cert_install-maindomain.tld
related_to:
- - configuration
  - nginx
started_at: 2023-01-06 08:54:22.563313
success: false
yunohost_version: 4.4.2.14

============

2023-01-06 08:54:22,604: DEBUG - Executing command '['sh', '-c', '/bin/bash -x "./15-nginx" pre \'\' \'\' /home/yunohost.conf/pending/nginx 7>&1']'
2023-01-06 08:54:22,634: DEBUG - + set -e
2023-01-06 08:54:22,636: DEBUG - + . /usr/share/yunohost/helpers
2023-01-06 08:54:22,640: DEBUG - +++ set +o
2023-01-06 08:54:22,643: DEBUG - +++ grep xtrace
2023-01-06 08:54:22,649: DEBUG - ++ readonly 'XTRACE_ENABLE=set -o xtrace'
2023-01-06 08:54:22,651: DEBUG - ++ XTRACE_ENABLE='set -o xtrace'
2023-01-06 08:54:22,848: DEBUG - + do_pre_regen /home/yunohost.conf/pending/nginx
2023-01-06 08:54:22,851: DEBUG - + pending_dir=/home/yunohost.conf/pending/nginx
2023-01-06 08:54:22,853: DEBUG - + cd /usr/share/yunohost/templates/nginx
2023-01-06 08:54:22,855: DEBUG - + nginx_dir=/home/yunohost.conf/pending/nginx/etc/nginx
2023-01-06 08:54:22,857: DEBUG - + nginx_conf_dir=/home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-06 08:54:22,859: DEBUG - + mkdir -p /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-06 08:54:22,868: DEBUG - + cp plain/acme-challenge.conf.inc plain/global.conf plain/ssowat.conf plain/yunohost_panel.conf.inc plain/yunohost_sso.conf.inc /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-06 08:54:22,881: DEBUG - ++ yunohost settings get ssowat.panel_overlay.enabled
2023-01-06 08:54:23,930: WARNING - Error while loading unknown settings Expecting value: line 1 column 1 (char 0)
2023-01-06 08:54:23,936: WARNING - Could not open settings file, reason: Expecting value: line 1 column 1 (char 0)
2023-01-06 08:54:24,083: DEBUG - + panel_overlay=
2023-01-06 08:54:25,087: ERROR - Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx
Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/hook.py", line 306, in hook_callback
    path, args=hook_args, chdir=chdir, env=env, raise_on_error=True
  File "/usr/lib/moulinette/yunohost/hook.py", line 393, in hook_exec
    raise YunohostError("hook_exec_failed", path=path)
yunohost.utils.error.YunohostError: Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx

(https://paste.yunohost.org/raw/otuceciren)
So it looks like there is a problem when updating the nginx configuration.

7

Is this problem only occurring on your main domain, or also on others? Did the main domain change lately? Are there any ‘special’ characters in your domain name?

8

It’s happening for another domain as well: the certificate gets signed but it’s the nginx configuration that fails.

args:
  names:
  - nginx
ended_at: 2023-01-07 12:16:24.393724
error: 'Could not regenerate the configuration for category(s): nginx'
interface: api
operation: regen_conf
parent: 20230107-121541-letsencrypt_cert_install-domain2.tld
related_to:
- - configuration
  - nginx
started_at: 2023-01-07 12:16:21.863601
success: false
yunohost_version: 4.4.2.14

============

2023-01-07 12:16:21,909: DEBUG - Executing command '['sh', '-c', '/bin/bash -x "./15-nginx" pre \'\' \'\' /home/yunohost.conf/pending/nginx 7>&1']'
2023-01-07 12:16:21,939: DEBUG - + set -e
2023-01-07 12:16:21,940: DEBUG - + . /usr/share/yunohost/helpers
2023-01-07 12:16:21,945: DEBUG - +++ set +o
2023-01-07 12:16:21,947: DEBUG - +++ grep xtrace
2023-01-07 12:16:21,954: DEBUG - ++ readonly 'XTRACE_ENABLE=set -o xtrace'
2023-01-07 12:16:21,956: DEBUG - ++ XTRACE_ENABLE='set -o xtrace'
2023-01-07 12:16:22,163: DEBUG - + do_pre_regen /home/yunohost.conf/pending/nginx
2023-01-07 12:16:22,165: DEBUG - + pending_dir=/home/yunohost.conf/pending/nginx
2023-01-07 12:16:22,166: DEBUG - + cd /usr/share/yunohost/templates/nginx
2023-01-07 12:16:22,167: DEBUG - + nginx_dir=/home/yunohost.conf/pending/nginx/etc/nginx
2023-01-07 12:16:22,169: DEBUG - + nginx_conf_dir=/home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-07 12:16:22,170: DEBUG - + mkdir -p /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-07 12:16:22,178: DEBUG - + cp plain/acme-challenge.conf.inc plain/global.conf plain/ssowat.conf plain/yunohost_panel.conf.inc plain/yunohost_sso.conf.inc /home/yunohost.conf/pending/nginx/etc/nginx/conf.d
2023-01-07 12:16:22,187: DEBUG - ++ yunohost settings get ssowat.panel_overlay.enabled
2023-01-07 12:16:23,219: WARNING - Error while loading unknown settings Expecting value: line 1 column 1 (char 0)
2023-01-07 12:16:23,231: WARNING - Could not open settings file, reason: Expecting value: line 1 column 1 (char 0)
2023-01-07 12:16:23,383: DEBUG - + panel_overlay=
2023-01-07 12:16:24,388: ERROR - Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx
Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/hook.py", line 306, in hook_callback
    path, args=hook_args, chdir=chdir, env=env, raise_on_error=True
  File "/usr/lib/moulinette/yunohost/hook.py", line 393, in hook_exec
    raise YunohostError("hook_exec_failed", path=path)
yunohost.utils.error.YunohostError: Could not run script: /usr/share/yunohost/hooks/conf_regen/15-nginx

(https://paste.yunohost.org/raw/uwokohihip)

But before the certificate gets regenerated, I see these 2 warnings:

The configuration file '/etc/dnsmasq.d/MYDOMAIN.COM' has been manually modified and will not be updated

grep: /run/resolvconf/resolv.conf: No such file or directory

(MYDOMAIN.COM is not where yunohost is installed, rather yunohost is at ynh.MYDOMAIN.COM)

Now, the fact that /run/resolvconf/resolv.conf doesn’t exist might explain the error later in the process: it looks like the script is trying to parse an empty file (I could be wrong).

There is no special characters in the domain or sub-domain names. It hasn’t changed for years.

I’ve updated to 4.4.2.14 recently, maybe things are done differently now?

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.